DHS Plans To Formalize Bug Disclosure Policy

The Homeland Security Department plans to formalize a method for ethical hackers to share with the department hackable vulnerabilities they find in its public-facing websites and other internet tools, Secretary Kirstjen Nielsen told lawmakers Thursday.

That would bring Homeland Security up to speed with the Defense Department and the General Services Administration’s tech transformation wing, which already have vulnerability disclosure policies.

The progress is too slow, however, for Rep. Jim Langevin, D-R.I., who pressed Nielsen about the issue during a budget hearing before the Homeland Security Committee.

“I wasn’t satisfied with her response, but I think she has good intentions,” Langevin told Nextgov after the hearing. “I want to work with her to make sure DHS has a robust vulnerability disclosure policy in place and she did say she’s willing to work on that.”

Currently, Homeland Security has an informal process for accepting vulnerability reports, Nielsen told Langevin. That happens primarily through the department’s cyber operations division, the National Cybersecurity and Communications Integration Center, or its Computer Emergency Readiness Team, which runs a clearinghouse for all cyber threat information, she said.

Homeland Security is in the process of making that process clearer for ethical hackers who want to report bugs, Nielsen said.

In addition to supplying internet security researchers with a point person when they find hackable bugs, vulnerability disclosure policies typically give researchers guidance on how to scour for vulnerabilities without running afoul of the organization’s policies or computer hacking laws, which are notoriously murky.

The government’s cyber standards agency, the National Institute of Standards and Technology, has urged industry to adopt vulnerability disclosure policies.

“First and foremost, there has to be a process in place so that if a security researcher comes across a vulnerability at DHS, there’s a clear mechanism in place as to whom to report it to and a commitment on their part that it's clear what they’re going to do about it,” Langevin said.

Legislation that passed the Senate this month would go one step further than a vulnerability disclosure policy by mandating a bug bounty at Homeland Security. That’s essentially a contest that offers ethical hackers cash rewards for the vulnerabilities they uncover.

The Defense Department has run four bug bounties, one each at the Pentagon and Army and two at the Air Force.

Nielsen repeated a warning Thursday that a bug bounty will be useful for uncovering vulnerabilities at her agency, but “isn’t a silver bullet.” If the bug bounty bill becomes law and the department has sufficient funding, Homeland Security will implement it, she said.

Homeland Security officials previously warned that a bug bounty might duplicate work the agency is already doing to hunt for vulnerabilities and that scarce resources might be better spent elsewhere.

Companion legislation to mandate a Homeland Security bug bounty has been introduced by Rep. Ted Lieu, D-Calif., in the House.

Langevin supports a Homeland Security bug bounty eventually, he told Nextgov, but doesn’t want to force the agency into a bug bounty program before it’s arranged the resources to properly run it and to prioritize and patch vulnerabilities that independent researchers uncover.

He noted that the Defense Department’s “Hack the Pentagon” bug bounty required extensive preparation beforehand.

“Creating a vulnerability disclosure policy is obviously the first step,” he said.

Doing R and D on the Go

Nielsen defended, during Thursday’s hearing, the Trump administration’s plan to shift Homeland Security’s $41 million cyber research and development efforts from its science and technology wing to the department’s cyber operations division.

The goal, she said, is to better align the department’s research efforts with the cybersecurity needs of critical infrastructure sectors that the cyber operations division works with, such as energy plants, hospitals and airports.

“The threat continues to evolve very, very quickly so we need to be continuing to do R and D as we operate, [to] innovate as we go,” she said.

Langevin said he opposed the move and is worried Homeland Security’s cyber operations division is so busy with its primary responsibilities that research will become an afterthought.

The Senate version of a Homeland Security reauthorization bill would mandate that research money remain in the science and technology directorate.

Cyber Strategy Coming Soon

Nielsen also told lawmakers that a long-awaited government cybersecurity strategy will be released within the next two weeks.

One key element of that strategy will be a program for Homeland Security to provide cyber tools directly to critical industry, Nielsen said during a preview at the RSA Cybersecurity Conference last week.

Other priorities include focusing more on systemic cyber risks that cross-industry sectors, improving cyber defense cooperation between industries and government and making digital systems more resilient against cyber strikes.